Small width layout Medium width layout Maximum width layout Small text Medium text Large text
     Search
Downloads Downloads Directory Directory Forums Forums Forge Forge Blogs Blogs        Marketplace Marketplace Careers Program Careers
Community › Forums Register  |  

Affordable ASP.NET Hosting Service
  Ads  
Aspose - The .NET & Java component publisher
 


  Sponsors  

Meet Our Sponsors

Red-Gate Software
MaximumASP
SourceGear - Tools for Developers
.: CounterSoft :.
telerik
ExactTarget email software solutions
 


DotNetNuke Forums
 
  Forum  DotNetNuke® Pro...  Blog Module [Le...  "Make this blog public" -- blog not completely hidden
Previous Previous
 
Next Next
New Post 6/21/2008 4:22 PM
Resolved
User is offline EJSawyer
5 posts
10th Ranked


"Make this blog public" -- blog not completely hidden 

If a blog is created, and the "Make this blog public" checkbox is cleared, then the blog doesn't appear in the Blog List.  In theory, this should prevent unauthorized users from accessing the blog through any means.

However, I noticed that during certain operations, the BlogID is passed in the URL (e.g. ".../tabid/100/BlogID/2/Default.aspx").  I discovered that a curious surfer, even one that isn't logged in at all, can edit this BlogID and see some basic information about the Blog (summary line, creation date, and most importantly, the author's username or full name).  They can't see the articles, but even so, this potentially exposes information that may not be intended to be public.  This is even true if the [Module Settings]/[Personal Blog Page] is set to a parent blog (so that the blog list shows only the child blogs).

While I understand that is probably low-risk for most deployments, please address this as a security issue.

- EJSawyer
 
New Post 6/22/2008 1:44 PM
Accepted Answer 
User is offline Dario Rossa
366 posts
www.dariorossa.it
8th Ranked




Re: "Make this blog public" -- blog not completely hidden 

Hi EJSawyer,

the actual policy about this is to remove the blog from the blog list if it is not checked to make public and make all the relative entries hidden. When altering the querystring users can still read the blog's description and general data, that may break security consistency. I filed this issue in Gemini, thank you very much for your feedback.

Best regards,
Dario Rossa

Dario RossaDario Rossa
Personal WebSite: http://www.dariorossa.it
DotNetNuke: http://dotnetnuke.dariorossa.it
 
 Page 1 of 1
Previous Previous
 
Next Next
  Forum  DotNetNuke® Pro...  Blog Module [Le...  "Make this blog public" -- blog not completely hidden
 


Forum Policy

These Discussion Forums are dedicated to the discussion of the DotNetNuke Web Application Framework.

For the benefit of the community and to protect the integrity of the project, please observe the following posting guidelines:

1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DotNetNuke.
2. Discussion or promotion of DotNetNuke product releases under a different brand name are strictly prohibited.
3. No Flaming or Trolling.
4. No Profanity, Racism, or Prejudice.
5. Site Moderators have the final word on approving/removing a thread or post or comment.
6. English language posting only, please.
 


Code Endeavors, LLC
Do you Endeavor to Enhance your DotNetNuke designs by utilizing AJAX technologies to more efficient interactive web experiences
www.codeendeavors.com 		T-WORX, INC.
Professional DotNetNuke Solutions
www.t-worx.com 		AppTheory
Professional development for medium to large projects based on the DotNetNuke platform.
www.apptheory.com

DotNetNuke Corporation   Terms Of Use  Privacy Statement
DotNetNuke®, DNN®, and the DotNetNuke logo are trademarks of DotNetNuke Corporation
Hosted by MaximumASP